I build a web site which will be deployed and maintained by my company IT dept. My web site backend needs to access a third party API on the internet. The IT say it is not allowed to access external network from this site. Is this an acceptable security restriction? What is the secured way to make an external API call?
Asked
Active
Viewed 94 times
0
-
Well, if it's behind their firewall, they are the gate-keepers. You'll need to come to a solution with them. Be a partner, not a mole... – ircmaxell Jun 24 '13 at 15:52
-
What could I suggest them as a secured solution? – Yaron Naveh Jun 24 '13 at 15:55
-
1Work that out with them. Find out what their reservations are. Find out their policies and how they generally handle this... – ircmaxell Jun 24 '13 at 15:56
-
This would be more appropriate on serverfault.com – Danack Jun 24 '13 at 16:31
1 Answers
1
The reason why your IT department wants to restrict access to arbitrary external websites is to theoretically make it harder to move any data off your web server to another server in the circumstances where a hacker has managed to upload and execute some arbitrary code.
This is not a totally unreasonable policy to have, as it does help mitigate an attack, even if it doesn't totally block an attack.
The standard way to allows connections to the outside world, but in a controlled manner is for your IT department to setup a proxy, and then your application should make all connections to other websites through that. The proxy should have a white-list of all domains that your code is allowed to connect to, blocking all other requests.
That should allow your software to do what it needs to do, while still mitigating the potential for hackers to be able to move data off the server.
btw if your IT department is capable of it, you should be able to configure the proxy so that any request to a non-whitelisted site will trigger an alarm, as it would indicate a probably intrusion on the server, and it's now running hack uploaded code.
Danack
- 24,939
- 16
- 90
- 122